We help IT Professionals succeed at work.

Part II Strategy for developing proprietary project information on a secure computer

Medium Priority
394 Views
Last Modified: 2017-05-17
Hi.

For background information, the initial requirements and my selected solution, you will need to refer to my previous question at:
https://www.experts-exchange.com/questions/29021535/Strategy-for-developing-proprietary-project-information-on-a-secure-computer.html

From what I've understood so far, and from my further investigation, I will need to then upgrade to Windows 10 Pro for encryption and better control of whitelisting and blacklisting.

My additional requirements are:

Windows Pro upgrade.
Microsoft Office 365 subscription and a limited set of application software (TBD).
I want to eliminate all unnecessary pre-loaded application software and bloatware (when should I do this).
(I will avoid using admin account as default user account.)
I want easy control of whitelisting and blacklisting, hopefully, without needing a lot of additional technical knowledge.

With those additional requirements, today's question is:
Suggest the necessary implementation strategy with sequence of steps, and any other utility software that might be required.

Thank you,
WaterStreet
Comment
Watch Question

CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Split this into several questions, please - it's too much for one, by far, because you demand to knows even the sequence of steps.
David Johnson, CDSimple Geek from the '70s
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
The only real effective method is to air gap that machine..Disable all networking  from before you load the proprietary software until you are finished and unload the software, Bitlocker encrypt the drive in case you lose the laptop.
CERTIFIED EXPERT

Author

Commented:
David,

"Disable all networking  from before you load the proprietary software until you are finished and unload the software..."

So, I think you're saying:
1. With the new laptop disconnected from the network, download the installation programs onto a USB drive connected to one of my networked laptops; and then use the USB drive on the new computer to install the software.
2. Then, after my required software is loaded, unload the bloatware.
CERTIFIED EXPERT

Author

Commented:
While waiting for the requested clarification from David, I opened a separate question, which was embedded in this one:

https://www.experts-exchange.com/questions/29022423/Removing-bloatware-from-the-new-computer-after-Windows-Pro-is-installed.html
btanExec Consultant
CERTIFIED EXPERT
Distinguished Expert 2019
Commented:
Most straight off strategy is to centrally managed and enforce policy via GPO for all domain joined machine. For standalone, they will have to be handled likewise but locally, treat them as outliner but encourage them to be domain machine if possible to avoid lapse in patching regime.

1) Appl whitelisting - Applocker via GPO.

Enforce authorised executable. See these step and add on any futher files and keeping the default rule allowed.

https://blogs.technet.microsoft.com/askpfeplat/2016/06/27/applocker-another-layer-in-the-defense-in-depth-against-malware/

Add on are
-Cryptoprevent from foolishIT.
-Anti ransomware like MalwareBytes Anti-Ransomware or Winpatrol AntiRansom

2) Device control - Focus on disallowing installation of new device and restrict only authorised one use. See some GPO setting.

https://technet.microsoft.com/en-us/library/2007.06.grouppolicy.aspx

- Addition are from the HIPS if you already have to add on to the device and appl controls. Like Symantec SEP. There are other such as DeviceLock and related data Loss Prevention solution. Quite a number from McAfee, Symantec too.

3) Network Share Permissions – Most ransomware now can encrypt files inside shared folders it may find on your network.

  You can limit damage with network permissions for access control, more at file folder permissions properties in file servers esp those common shares hosted under the same backend systems. Suggest you can  e.g.
- Restrict write access only to users and groups who absolutely need it.
- Restrict anyone needing to access files in these locations can still do so with read-only access, but they could not modify the files

Employ a protocol regime in operations team to have user support seek approval for the files to read-only shares by users without the write access. More for oversight but need further discussion with your stakeholders. Reduce attack surface.

These are quick low hanging to reduce attack surface..
Simple Geek from the '70s
CERTIFIED EXPERT
Distinguished Expert 2019
Commented:
So, I think you're saying:
1. With the new laptop disconnected from the network, download the installation programs onto a USB drive connected to one of my networked laptops; and then use the USB drive on the new computer to install the software.
2. Then, after my required software is loaded, unload the bloatware.
Exactly, the machine must be air-gapped from the network/internet
CERTIFIED EXPERT

Author

Commented:
Thank you both
CERTIFIED EXPERT

Author

Commented:
New follow-up question:
See "Windows 10 Enterprise security for just one laptop user"

Explore More ContentExplore courses, solutions, and other research materials related to this topic.